The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are actively attempting to breach systems associated with critical infrastructure, specifically mentioning water and wastewater systems (WWS).
According to CISA, threat actors are targeting internet-exposed operation technology (OT) and industrial control system (ICS) devices using unsophisticated methods like brute force attacks and accessing systems using default credentials. Since OT/ICS devices help monitor and control physical processes in manufacturing, critical infrastructure, and other industries, CISA is concerned that unauthorized access to them could cause harm.
To mitigate the risk associated with this threat activity, CISA is encouraging network defenders to change default passwords, enable multifactor authentication (MFA), place human-machine interfaces (HMIs) behind firewalls, harden VNC installs, and apply the latest security updates to strengthen the overall security posture of their IT environments.
Source: Bleeping Computer
Analysis
CISA’s warning comes amid reports that Arkansas City, a small city in Kansas, was forced to switch its water treatment facility to manual operations due to a recent cyberattack deemed serious enough that the Department of Homeland Security and the FBI had been called in to investigate. The fact that CISA specifically mentioned water and wastewater systems in its warning makes it likely that this incident was the reason it made its warning in the first place.
CISA isn’t the first agency to sound the alarm regarding the targeting of water and wastewater systems. Earlier this week, the Water Information Sharing and Analysis Center (WaterISAC), a nonprofit organization that helps protect water utilities from physical and cyber threats, issued a threat advisory warning of Russian-linked threat actors targeting the water sector. The U.S. Environmental Protection Agency (EPA) also issued guidance for evaluating cybersecurity practices and identifying measures to reduce water and wastewater facilities’ exposure to cyberattacks.
Over the past few years, state-sponsored threat actors have compromised U.S.-based WWSs. China-linked Volt Typhoon hackers breached critical infrastructure organizations, including drinking water systems, and Iran-affiliated threat actors compromised a water facility in Pennsylvania. In July 2024, the U.S. sanctioned two Russian members of the Russia-aligned hacktivist group Cyber Army of Russia Reborn (CARR) for cyberattacks that targeted U.S-based WWS, one of which resulted in the overflow of a water storage tank in Texas.
It's likely that malicious cyber threat activity towards WWS and other critical infrastructure networks will continue as long as the current geopolitical tensions and conflicts, such as the Russian invasion of Ukraine and South China Sea disputes, remain ongoing. Thus, it’s imperative that at-risk organizations take the necessary precautions to defend their networks to mitigate the threat posed by this activity.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats to OT/ICS. Field Effect MDR users are automatically notified if OT/ICS threat related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Given that OT/ICS are popular targets for hackers, and the vital importance of the industrial processes they control, it’s extremely important to ensure that these systems are not only kept up to date, but tested regularly for unknown vulnerabilities, misconfigurations, rogue user accounts, the use of default credentials, and other signs of compromise. It’s also vital that ICS are not exposed to the internet unless there is a legitimate business need to do so, and only after proper controls (IP whitelisting, MFA, etc.) are put in place.
Related Articles
